I made something to do exactly that a while ago. The source code is freely available somewhere (I think I posted it on Halomods). I made a few classes for it in C++.

If you're looking to do this on your own for your own benefit, you'll want to look into ReadProcessMemory() and WriteProcessMemory().

EDIT: Here are the classes. God my C++ skills sucked back in 2004. As CrashTECH pointed out, the locations are liable to change from version to version, but IIRC the locations I chose are never deleted and reallocated. You can be sure they are valid once you've found the correct offset. The offset has likely changed since I wrote this. You should use a memory searching tool (TSearch works very well) to find the initial offset, upon which all others are based.

Sorry for the length.
Player.h:

Code:

/*Player.h

Contains a class that provides functions for reading in and retrieving player informationin Halo.

int my_itoa(const int number, char *data);//base can only be 10, and ASSUMES the data buffer supplied is big enough to hold the number

class Player{ int player_score; short player_deaths; short player_assists; short player_kills; short player_betrayals; short player_suicides; char player_team; char player_ingame; std::string player_name; std::string player_ipadd; std::string player_cdkey; //end of player data //start of class data int SIZE;//offset between players int ASSISTS;//offset of assists from kills int DEATHS;//offset of deaths from kills (beginning of player info structure) int SUICIDES;//offset of suicides from kills int TKS;//offset of TKs for each player from kills int NAMES;//offset of name from player's kills. int TEAMS;//IMPORTANT: this is the offset of player teams from player 1 kills! this is an array of characters! ***NOT PART OF THE STRUCTURE*** int PLAYERIN;//IMPORTANT: this is the offset of player teams from player 1 score! this is an array of separate structures! ***NOT PART OF THE PLAYER INFO STRUCTURE** int PLAYERSZ;//Size of the abovementioned structure //start of individual class data unsigned int player_class_location; unsigned int player_score_location; unsigned int player_number;

if(hProc == NULL) { MessageBox(0, "Couldn't open the Halo process for reading. \nIf you are sure Halo is running and you have access, send an email to Kybo Ren at:\nkyboren@gmail.com", "Warning", MB_OK | MB_ICONWARNING); return 0;//0 is fail }//we try once more then fail }

if(hProc == NULL) { MessageBox(0, "Couldn't open the Halo process for reading. \nIf you are sure Halo is running and you have access, send an email to Kybo Ren at:\nkyboren@gmail.com", "Warning", MB_OK | MB_ICONWARNING); return 0;//0 is fail }//we try once more then fail

if(hProc == NULL) { MessageBox(0, "Couldn't open the Halo process for reading. \nIf you are sure Halo is running and you have access, send an email to Kybo Ren at:\nkyboren@gmail.com", "Warning", MB_OK | MB_ICONWARNING); return 0;//0 is fail }//we try once more then fail

if(hProc == NULL) { MessageBox(0, "Couldn't open the Halo process for reading. \nIf you are sure Halo is running and you have access, send an email to Kybo Ren at:\nkyboren@gmail.com", "Warning", MB_OK | MB_ICONWARNING); return 0;//0 is fail }//we try once more then fail }//if hProc still is messed int result = 1;

if(hProc == NULL) { MessageBox(0, "Couldn't open the Halo process for reading. \nIf you are sure Halo is running and you have access, send an email to Kybo Ren at:\nkyboren@gmail.com", "Warning", MB_OK | MB_ICONWARNING); return 0;//0 is fail }//we try once more then fail

if(hProc == NULL) { MessageBox(0, "Couldn't open the Halo process for reading. \nIf you are sure Halo is running and you have access, send an email to Kybo Ren at:\nkyboren@gmail.com", "Warning", MB_OK | MB_ICONWARNING); return 0;//0 is fail }//we try once more then fail

if(hProc == NULL) { MessageBox(0, "Couldn't open the Halo process for reading. \nIf you are sure Halo is running and you have access, send an email to Kybo Ren at:\nkyboren@gmail.com", "Warning", MB_OK | MB_ICONWARNING); return 0;//0 is fail }//we try once more then fail

if(hProc == NULL) { MessageBox(0, "Couldn't open the Halo process for reading. \nIf you are sure Halo is running and you have access, send an email to Kybo Ren at:\nkyboren@gmail.com", "Warning", MB_OK | MB_ICONWARNING); return 0;//0 is fail }//we try once more then fail }//if hProc still is messed int result = 1;

if(hProc == NULL) { MessageBox(0, "Couldn't open the Halo process for reading. \nIf you are sure Halo is running and you have access, send an email to Kybo Ren at:\nkyboren@gmail.com", "Warning", MB_OK | MB_ICONWARNING); return 0;//0 is fail }//we try once more then fail

if(hProc == NULL) { MessageBox(0, "Couldn't open the Halo process for reading. \nIf you are sure Halo is running and you have access, send an email to Kybo Ren at:\nkyboren@gmail.com", "Warning", MB_OK | MB_ICONWARNING); return 0;//0 is fail }//we try once more then fail }//if hProc still is messed int result = 1; char name[13];

class Server{ unsigned long server_PID;//the PID of the server unsigned long server_isEnabled;//is it enabled? did the user check off this box? unsigned long server_Number;//i.e. 1 for "Halo Console (1)", 2 for "Halo Console (2)" unsigned long server_Type;//type of server, i.e. Halo PC DS, Halo CE game unsigned long server_Gametype;//gametype on server unsigned long server_gametype_loc;//location of gametype on server proc HANDLE hProc;//handle to the process HANDLE server_thread;//handle to the thread for this process

Yep, that's the idea. I assume you're writing to some internal buffer directly?

BTW, there is a better way of doing the wireframe hack, namely by exploiting the Windows DLL search path and sticking a custom DLL with the same name and interface as the DirectX DLL in the same folder as the Halo EXE.

Yep, that's the idea. I assume you're writing to some internal buffer directly?

BTW, there is a better way of doing the wireframe hack, namely by exploiting the Windows DLL search path and sticking a custom DLL with the same name and interface as the DirectX DLL in the same folder as the Halo EXE.

You might be interested in this then. He basically created his own d3d9.dll and opensourced it.

If you can show me how to use that to put my file into Halo it would be awesome. (It's VC++ 2005 though :/ )

Hehe, Kornman's a smarty. He's been in the Halo PC modding community almost as long as Monoxide. I didn't get a chance to read everything in-depth, but it looks like he's expanded this idea and taken it to a whole new level. You can mod most of the important parts of the game in-memory through a custom DirectX DLL exploiting the same search path issue I talked about earlier. Very cool.

Anyway, I think you're getting confused with what this is doing. It is not loading any file into Halo (well, it is mapping the custom DLL into Halo's memory space [if you open up Memory/MemoryInterface.cpp, see how he can use a regular memcpy() for WriteMemory(), instead of WriteProcessMemory()? That's because we're in the same process], but I don't think that's what you meant). What exactly are you trying to do?

BTW, this will work fine with VC++ 2008 Express Edition. It's free. So is the DirectX SDK (you'll need that, too).

Yeh Korn's pretty smart. Thing is, I don't know how to use Open sauce when I download it and look at the source. I don't know if I need to use addresses and pointers to change what I want or what. If you compile Open Sauce completely then it comes out as d3d9.dll and you replace the original d3d9.dll with it. (Korn's VC++ Express 2005 won't convert to VC++ Express 2008 :/ )

The thing I do is kinda simple. It's a modified Strings.dll that links to another DLL (IGLDLL, not included with halo) that adds any items in the custom ig\ce folder. Then my .dll that does the wireframe swapping in and out (Using codecaves) forces dev mode on and off. Korn himself if you read far enough, told me that there was a more efficient way to do this.

First of all, let me explain what i'm doing: I want to get the text I type and when I press Enter, it replaces my text with Unicode Characters that look cool yet you can still read the message.

(Using OllyDebug) Okay so i've got this address - 004ADDF0. It has something to do with text. So I add a breakpoint, and I found about two lines that show my text. Now what? Do i copy the assember at those lines?

Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot post attachments in this forum